Casita← Back home

Privacy Policy

Effective date: June 10, 2026

This Privacy Policy explains what data Casita collects, why we collect it, and how we handle it. Casita is a household management app available at mycasita.app, operated by Bernardo Prudêncio ("Operator," "we," "us") based in Barcelona, Spain. We act as the data controller under the EU General Data Protection Regulation (GDPR).

I. Data We Collect

1. Account data

When you sign up through our authentication provider Clerk, we receive and store your name, email address, and a unique user identifier. We do not store your password — Clerk manages authentication credentials on our behalf.

2. Household data

When you create or join a household, we store your household name, membership role (owner or member), invite codes, and household settings such as theme preferences. Member email addresses are not shared with other household members through the app.

3. User content

Content you create within the app is stored in our database:

  • Recipes — titles, instructions (markdown), ingredient lists, and uploaded photos.
  • Shopping items — item names, quantities, categories, and supermarket tags.
  • To-dos — task names, statuses, due dates, and sort order.

4. Google account data

If you connect your Google account, we store an OAuth access token and refresh token to fetch your Google Calendar events. Before connecting, you are shown a consent dialog explaining what data Casita will access. We request read-only access to your calendar. We do not access your Gmail, Google Drive, or any other Google service. Calendar event data is fetched on demand and is not permanently stored in our database.

5. Technical data

Our hosting provider (Cloudflare) may log standard request metadata such as IP addresses and timestamps as part of normal infrastructure operation. Request URLs are logged without query string parameters to prevent accidental capture of sensitive data. We do not use analytics tools, tracking pixels, or advertising SDKs.

II. Why We Process Your Data

1. Legal basis (GDPR)

Processing activityLegal basis
Account creation & authenticationPerformance of contract (Art. 6(1)(b))
Storing & sharing household dataPerformance of contract (Art. 6(1)(b))
Displaying Google Calendar eventsConsent (Art. 6(1)(a)) — you initiate the connection
Infrastructure loggingLegitimate interest (Art. 6(1)(f)) — security & reliability

2. Purposes

We use your data exclusively to:

  • Operate, maintain, and improve the Service.
  • Authenticate your identity and enforce household membership.
  • Display your calendar events when you choose to connect Google.
  • Protect the Service against abuse and maintain security.

We do not sell your data, use it for advertising, profile you, or make automated decisions about you.

III. Who Has Access to Your Data

1. Household members

Recipes, shopping items, to-dos, and household settings are shared with all members of your household. Every member can view and edit this shared data. Personal account information such as email addresses is not exposed to other household members.

2. Public recipe viewers

If you generate a share link for a recipe, anyone with that link can view the recipe's title, instructions, ingredients, and photo without authentication. No account data or other household data is exposed through share links.

3. Third-party processors

We use the following service providers to operate Casita. Each processes data on our behalf and under contractual obligations:

ProviderRoleData processedLocation
ClerkAuthenticationName, email, credentialsUnited States
CloudflareHosting, database, storageAll app data, request logsGlobal edge network
GoogleCalendar APIOAuth tokens, calendar eventsUnited States

4. No other sharing

We do not share your data with any other third parties unless required by law or a valid legal order.

IV. International Transfers

1. Transfers outside the EEA

Some of our processors (Clerk, Google) are based in the United States. Cloudflare processes data across its global network, which includes locations outside the European Economic Area. These transfers are protected by:

  • The EU-U.S. Data Privacy Framework, where the processor is certified.
  • Standard Contractual Clauses (SCCs) approved by the European Commission.

V. Data Retention

1. Active accounts

We retain your data for as long as your account is active and you remain a member of a household.

2. After you leave

When you leave a household, your membership record is removed. Shared content you contributed (recipes, items, todos) remains accessible to other household members but is no longer linked to your identity. Your personal account data persists with Clerk until you delete your account.

3. Google tokens

Your Google OAuth tokens are deleted immediately when you disconnect Google through Settings. Tokens are also automatically purged after 90 days of inactivity as an additional data-minimization safeguard.

4. Account deletion

You can delete your account and all associated personal data directly from Settings → Delete account. If you are the sole owner of a household, deleting your account also permanently deletes the household and all its content (recipes, shopping items, todos, calendar connection data). You may also contact email@bernardoprd.com to request deletion. We process manual requests within 30 days.

VI. Your Rights

1. GDPR rights

Under the General Data Protection Regulation, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — request deletion of your personal data ("right to be forgotten"). You can delete your account directly from Settings, or contact us to request deletion.
  • Restriction — ask us to restrict processing in certain circumstances.
  • Portability — receive your data in a structured, machine-readable format. You can download a JSON export of your data at any time from Settings → Download my data.
  • Object — object to processing based on legitimate interest.
  • Withdraw consent — for processing based on consent (e.g., Google Calendar), you can withdraw at any time by disconnecting the service.

2. How to exercise your rights

Data export and account deletion are available as self-service features in Settings. For all other rights, contact us at email@bernardoprd.com. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, aepd.es).

VII. Cookies & Local Storage

1. What we use

Casita uses the following browser storage mechanisms:

  • Authentication cookies/tokens — set by Clerk to maintain your signed-in session. These are strictly necessary for the Service to function.
  • Service worker cache — stores app assets and data locally on your device to enable offline access. This cache is managed automatically and can be cleared through your browser settings.
  • Local storage — may store UI preferences such as theme selection.

We do not use analytics cookies, advertising cookies, or any third-party tracking cookies.

VIII. Children

1. Age requirement

Casita is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

IX. Security

1. How we protect your data

We implement reasonable technical and organizational measures to protect your data, including:

  • All data in transit is encrypted via HTTPS/TLS.
  • Authentication is handled by Clerk with JWT-based token verification.
  • API access requires valid authentication; household data is scoped to your membership.
  • Google OAuth tokens are stored server-side and never exposed to the frontend.
  • Request logs are sanitized to exclude query string parameters that may contain sensitive data.

No system is perfectly secure. If you discover a vulnerability, please report it to email@bernardoprd.com.

X. Changes to This Policy

1. Updates

We may update this Privacy Policy from time to time. When we make material changes, we will revise the effective date at the top and notify you through the app or by email. Continued use of Casita after a change constitutes acceptance of the updated policy.

XI. Contact

1. Data controller

Bernardo Prudêncio Barcelona, Spain email@bernardoprd.com

For GDPR-related complaints, you may also contact the Spanish Data Protection Agency (AEPD) at aepd.es.